Hi everyone! I'm currently experiencing some problems with windows hosts where some scheduled queries with large result sets (e.g. "select * from startup_items") and differential result logging seem to start "from scratch" whenever the query is run. The result is that all results are logged all the time as added, the counter stays at 0 and if I look at osquery_schedule I see that executions and last_executed stay at 0. I'm pretty certain that it's not a problem with the query or configuration as it works fine on other hosts. What I noticed is that if I change the path for the rocksdb on the client it sometimes fixes the problem, however this isn't feasible on a large setup. Did anyone of you experience something similar or can give me a hint on how to debug this problem?

I cannot pattern match this exact issue but the on-disk database that osquery uses internally to maintain state sounds like a potential root cause. Do you have logs for when these clients continue to use the older database (before you move to a new one and fix the problem)?

right now none of the affected hosts are online, so i can't pull the logs. I'll try to recreate the problem with the 4.1.2 on a different machine